PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-41267 Waterfall CVE debrief

A high-severity OS command injection vulnerability (CWE-78) exists in the Administration WebUI of the Waterfall WF-500 TX Host, affecting firmware version 7.9.1.0 R2502171040. The flaw was identified by Nozomi Networks Labs and published on 2026-05-29, with the NVD record subsequently modified on 2026-06-01. The vulnerability allows remote authenticated attackers to execute arbitrary operating system commands on the affected host. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack requirements, high privileges required, and user interaction present, with high impacts to confidentiality, integrity, and availability of the vulnerable system. The CPE configuration confirms the firmware version is vulnerable, while the hardware itself is not directly marked as vulnerable. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Vendor
Waterfall
Product
WF-500
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-06-01
Advisory published
2026-05-29
Advisory updated
2026-06-01

Who should care

Organizations operating Waterfall WF-500 TX Host devices in industrial control system or operational technology environments should prioritize assessment and remediation. Security teams responsible for OT/ICS infrastructure, network administrators managing Waterfall Security solutions, and compliance personnel tracking vulnerability exposure for critical infrastructure assets have direct interest in this vulnerability.

Technical summary

The Waterfall WF-500 TX Host firmware version 7.9.1.0 R2502171040 contains an OS command injection vulnerability in its Administration WebUI. The improper neutralization of special elements in OS commands (CWE-78) enables remote authenticated attackers with high privileges to inject and execute arbitrary operating system commands on the host. Successful exploitation could result in complete compromise of the device's confidentiality, integrity, and availability. The attack requires network access and user interaction, with low attack complexity. The vulnerability was disclosed by Nozomi Networks Labs and published on 2026-05-29.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict administrative access to the WF-500 TX Host Administration WebUI to only essential personnel and enforce strong authentication controls.
  • Apply security updates from Waterfall Security when available, monitoring the vendor advisory for patch release information.
  • Implement network segmentation to limit access to the Administration WebUI from untrusted networks.
  • Review and monitor administrative access logs for anomalous activity that may indicate attempted or successful command injection exploitation.
  • Conduct vulnerability scanning or firmware validation to confirm the running version and identify affected systems.

Evidence notes

The vulnerability is classified as CWE-78 (OS Command Injection) per the primary weakness source. The affected product is Waterfall WF-500 firmware, version 7.9.1.0 R2502171040 and earlier, based on CPE criteria. The CVSS 4.0 score of 8.5 reflects high severity despite requiring high privileges and user interaction, due to the complete compromise potential (high confidentiality, integrity, and availability impacts).

Official resources

Nozomi Networks Labs disclosed this vulnerability to Waterfall Security. The advisory was published as a vendor advisory on 2026-05-29.